This copy is for your personal non-commercial use only. To order presentation-ready copies of Toronto Star content for distribution to colleagues, clients or customers, or inquire about permissions/licensing, please go to: www.TorontoStarReprints.com

Inside Google's team battling hackers

By Robert McMillanWSJ

Wed., Jan. 23, 2019

Shane Huntley and his team have tracked Iranian hackers as they spread disinformation in the U.S., unmasked North Korea’s responsibility for a crippling global computer virus and probed Russians linked to the 2016 hack of the Democratic National Committee.

Mr. Huntley doesn’t work for the National Security Agency or another government spy shop. He heads Google’s in-house counterespionage group, which has emerged as an important force in the battle against hackers and a leading example of tech giants building up powerful cybersecurity defenses in an age of rising nation-state hacks.

Staffed partly by former government agents, these groups at companies including Google, Facebook Inc. and Microsoft Corp. play a central role keeping criminals and spies away from the ocean of personal information online as people rely more on their products. (Krisztian Bocsi / Bloomberg)

Staffed partly by former government agents, these groups at companies including Google, Facebook Inc. and Microsoft Corp. play a central role keeping criminals and spies away from the ocean of personal information online as people rely more on their products. The tech giants’ access to that data and their huge user networks mean they are in some ways more effective in fighting intrusions than governments, executives say.

Mr. Huntley’s 27-person Threat Analysis Group tracks more than 200 hacker groups that pose a threat to Google and its users, analyzing hacking techniques and clues to the groups’ identities to head off attacks. It leverages access to data across widely used Google products—Gmail, for example, has more than 1.5 billion accounts world-wide—and to a database of attack code called VirusTotal managed by another arm of Google-parent Alphabet Inc.

Last summer, the Threat Analysis Group stopped an Iranian-backed disinformation campaign by pulling dozens of YouTube channels that were using fake accounts to push misleading political stories primarily about the Middle East, on behalf of the Iranian government. Disinformation—especially around elections—is a new focus for the Mr. Huntley’s team.

Article Continued Below

“Google probably has the most useful data set available to any private company for tracking state adversaries and intelligence services,” said Alex Stamos, former chief security officer at Facebook Inc. and now an adjunct professor at Stanford University’s Freeman Spogli Institute. He likens Google’s efforts to those of a small intelligence agency. “You put that all together, and they are probably second only to the intelligence community” in terms of useful data, he said.

The companies balance cybersecurity protection against other business priorities, and are sometimes reluctant to publicly point the finger at responsible governments. The size of their user bases means the actions they decide to take or not to take can have widespread impact.

Google’s massive data-collection capabilities have long captured the attention of privacy advocates and regulators, but the company faced criticism last year after The Wall Street Journal reported that the company failed to notify consumers of a bug in its Google+ social network that exposed the data of 52 million users.

Mr. Huntley’s team issues about 4,000 warnings a month to Gmail users with accounts where it detects government-backed hackers trying to break in. Google has been criticized by lawmakers and security researchers for not doing enough to stop Russian interference in the 2016 presidential campaign, when Democratic officials such as John Podesta had their Gmail accounts broken into and YouTube was misused by the Russia-backed Internet Research Agency to spread disinformation.

“What we saw in the 2016 election was limited activity, but it was improper,” Google Chief Executive Sundar Pichai said in testimony before the House Judiciary Committee in December. “It’s something we’re working hard to mitigate and avoid.”

Google hired Mr. Huntley, 43, a former hacker with Australia’s Defense Signals Directorate, its equivalent of the NSA, in 2010, months after revealing it had suffered a major cyberattack attributed to Chinese hackers. “Google really needed a well-staffed professional team to deal with the government threats,” he said.

He and other executives who have worked at big tech cyber-threat operations say they can have more impact in the private sector than in government.

Article Continued Below

“These companies are sovereign authorities inside their products,” said Sergio Caltagirone, a former NSA analyst hired by Microsoft in 2013. Many of his peers felt the same way, he said. “There were a lot of people who had spent close to a decade in government, and everyone was recognizing, ’Yeah, we can’t really do much,’ ” he said.

In 2014, Microsoft and other tech companies kicked offline servers used by a group called Axiom that investigators described as hackers-for-hire in China. That was the largest disruption of a state-sponsored hacking effort at the time, said Mr. Caltagirone, now a researcher with the security firm Dragos Inc.

Mr. Huntley’s team displayed its prowess during a strike by North Korean hackers. The team was first to publicly link North Korea to the devastating WannaCry computer-worm outbreak that shut hundreds of thousands of computers globally in May 2017.

As that ransomware attack spread, a researcher named Neel Mehta on Mr. Huntley’s team at Google’s Mountain View, Calif., campus, began running code from the virus though an in-house search engine called DejaDis, which searches through Google’s vast database of computer worms and viruses—a sort of Library of Alexandria of malicious software, with more than two billion samples.

Mr. Mehta saw that the WannaCry worm used a unique way of generating random numbers. He quickly linked that to another virus, called Cantopee, built by a hacking group that security researchers had linked to North Korea.

Google didn’t want to call out North Korea directly; this was the country that had launched a devastating attack on Sony Pictures.

But Mr. Huntley and Mr. Mehta found a subtler way to share their findings. Mr. Mehta posted a tweet that, to those in the know, pointed to the shared Cantopee code, showing that WannaCry was likely built not by run-of-the-mill criminals seeking money but by North Korea’s cyber army.

Others soon verified Google’s findings, and the U.S. later publicly blamed North Korea for the attack.

Mr. Huntley said the episode represents only a part of his team’s ambition. Internally, they have a range of other security tools, all integrated into a single threat-dashboard called Nirvana. “Our goal is to understand everything about these threats and make it accessible to everyone at Google,” he said.

More from The Star & Partners

LOADING

Copyright owned or licensed by Toronto Star Newspapers Limited. All rights reserved. Republication or distribution of this content is expressly prohibited without the prior written consent of Toronto Star Newspapers Limited and/or its licensors. To order copies of Toronto Star articles, please go to: www.TorontoStarReprints.com